13 Jan, 2015
3 commits
git-svn-id: https://svn.forgerock.org/openam/trunk@12054 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@12053 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@12052 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
12 Jan, 2015
2 commits
git-svn-id: https://svn.forgerock.org/openam/trunk@12047 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
…cli configurator was broken due to a missing parameter git-svn-id: https://svn.forgerock.org/openam/trunk@12040 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
10 Jan, 2015
1 commit
Yesterday we transferred the openid repo to the ForgeRock community space. The old link technically still works, as GitHub uses a redirect. The link used here is now the direct link, however. git-svn-id: https://svn.forgerock.org/openam/trunk@12038 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
06 Jan, 2015
1 commit
…ENAM-4903 IP environment condition is not validated properly git-svn-id: https://svn.forgerock.org/openam/trunk@12032 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
05 Jan, 2015
5 commits
…page if the authlevel is invalid git-svn-id: https://svn.forgerock.org/openam/trunk@12024 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@12020 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@12019 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@12018 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@12017 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
01 Jan, 2015
1 commit
SAML session synchronization now no longer fails if one of the remote entities does not have SOAP SLO endpoint. Such entities are now just simply ignored; all other entities that supports SOAP SLO will be notified of the session invalidation. git-svn-id: https://svn.forgerock.org/openam/trunk@12016 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
24 Dec, 2014
1 commit
git-svn-id: https://svn.forgerock.org/openam/trunk@12011 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
23 Dec, 2014
1 commit
git-svn-id: https://svn.forgerock.org/openam/trunk@12007 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
22 Dec, 2014
3 commits
git-svn-id: https://svn.forgerock.org/openam/trunk@11998 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
…r and UI now reflect this. git-svn-id: https://svn.forgerock.org/openam/trunk@11995 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
…ses as described in the SAMLv2 spec git-svn-id: https://svn.forgerock.org/openam/trunk@11991 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
19 Dec, 2014
5 commits
git-svn-id: https://svn.forgerock.org/openam/trunk@11984 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11983 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11982 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11981 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11980 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
18 Dec, 2014
6 commits
This patch removes the list of features and issues that are specifically associated with OpenAM 12.0.0. For the published lists see the OpenAM 12.0.0 release notes, http://docs.forgerock.org/en/openam/12.0.0/release-notes/ git-svn-id: https://svn.forgerock.org/openam/trunk@11975 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11974 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
…levant license file when releasing git-svn-id: https://svn.forgerock.org/openam/trunk@11971 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11969 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11968 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11967 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
17 Dec, 2014
9 commits
git-svn-id: https://svn.forgerock.org/openam/trunk@11957 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11956 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11952 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11951 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
<!-- ! CCPL HEADER START ! ! This work is licensed under the Creative Commons ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. ! To view a copy of this license, visit ! http://creativecommons.org/licenses/by-nc-nd/3.0/ ! or send a letter to Creative Commons, 444 Castro Street, ! Suite 900, Mountain View, California, 94041, USA. ! ! You can also obtain a copy of the license at ! src/main/resources/legal-notices/CC-BY-NC-ND.txt. ! See the License for the specific language governing permissions ! and limitations under the License. ! ! If applicable, add the following below this CCPL HEADER, with the fields ! enclosed by brackets "[]" replaced with your own identifying information: ! Portions Copyright [yyyy] [name of copyright owner] ! ! CCPL HEADER END ! ! Copyright 2011-2014 ForgeRock AS ! --> <chapter xml:id='chap-compatibility' xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd' xmlns:xlink='http://www.w3.org/1999/xlink'> <title>OpenAM Changes & Deprecated Functionality</title> <para>This chapter covers both major changes to existing functionality, and also deprecated and removed functionality.</para> <section xml:id="changes"> <title>Important Changes to Existing Functionality</title> <itemizedlist> <!-- Update docs for click-through license acceptance KEEP THIS AT TOP --> <listitem> <para>All OpenAM core server, tools, and agent installers now display a software license acceptance screen prior to configuration. You must agree to the license to continue the configuration. </para> <para>For users implementing scripted or silent installs, the installers and upgrader tools provide a <option>--acceptLicense</option> command-line option, indicating that you have read and accepted the terms of the license. If the option is not present on the command-line invocation, the installer or upgrader will interactively present a license agreement screen to the user.</para> </listitem> <!-- AME-4013, AME-2766, etc. --> <listitem> <para> When you visit the Policies tab for a realm in OpenAM console, OpenAM now directs you to the new policy editor. For instructions on using the new policy editor, see the <citetitle>Administration Guide</citetitle> chapter, <link xlink:href="admin-guide#chap-authz-policy" xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink" ><citetitle>Defining Authorization Policies</citetitle></link>. Notice that policies now belong to applications as described in that chapter. </para> <itemizedlist> <para> OpenAM has changed its internal representation for policies to better fit the underlying implementation, which is based on a new engine designed for higher performance and finer grained policies. When you upgrade to this version, OpenAM migrates your policies to the new representation. </para> <para> Depending on your existing policies before upgrade, you can see the following differences: </para> <listitem> <para> Existing policies with multiple resource rules map to multiple new policies. </para> <para> When a single policy maps to multiple policies during migration, OpenAM appends a number to the existing name for each new policy. This allows you to recognize the set of policies when you must manage them together, for example to change them all in the same way. </para> <para> This behavior is to optimize policy evaluation performance. The newer policy engine matches resources to policies during evaluation with indexing that proves very efficient as long as each policy specifies one resource pattern. OpenAM processes the list of resources in policies in linear fashion, so long lists of resources can slow policy evaluation. </para> </listitem> <listitem> <para> Conditions in existing policies map to newer representations. </para> <para> New representations exist for all existing conditions provided in OpenAM out of the box. Custom conditions developed for your deployment do not map to any of the newer conditions provided. In that case you must implement your custom conditions by implementing the newer service provider interfaces, and then replace your existing policies to use them. </para> <para> To see how to implement a custom policy plugin, see the <citetitle>Developer's Guide</citetitle> chapter, <link xlink:href="dev-guide#chap-policy-spi" xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink" ><citetitle>Customizing Policy Evaluation</citetitle></link>. </para> </listitem> <listitem> <para> When OpenAM encounters issues migrating policies during upgrade, it writes messages about the problems in the upgrade log. When you open a policy in the policy editor that caused problems during the upgrade process the policy editor shows the issues, but does not let you fix them directly. Instead you must create equivalent, corrected policies in order to use them in OpenAM. </para> </listitem> <listitem> <para> It is strongly recommended <emphasis>not</emphasis> to use the forward slash character in policy names. Users running OpenAM servers on Tomcat and JBoss web containers will not be able to manipulate policies with the forward slash character in their names without setting the <literal>‑Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</literal> argument in the <literal>CATALINA_OPTS</literal> environment variable before starting the OpenAM web container. </para> <para> It is also strongly recommended not to enable the <literal>ALLOW_ENCODED_SLASH=true</literal> setting while running OpenAM in production. Using this option introduces a security risk. See <link xlink:href="http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.10 ">Apache Tomcat 6.x Vulnerabilities</link> and <link xlink:href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450 ">the related CVE</link> for more information. </para> <para> If you have policy names with forward slashes after migration to OpenAM 12, rename the policies so that they do not have forward slashes. Perform the following steps if you use Tomcat or JBoss as your OpenAM web container: <orderedlist> <listitem> <para> Stop the OpenAM web container. </para> </listitem> <listitem> <para> Add the <literal>‑Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</literal> setting to the <literal>CATALINA_OPTS</literal> environment variable. </para> </listitem> <listitem> <para> Restart the OpenAM web container. </para> </listitem> <listitem> <para> Rename any policies with forward slashes in their names. </para> </listitem> <listitem> <para> Stop the OpenAM web container. </para> </listitem> <listitem> <para> Remove the <literal>‑Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true</literal> setting from the <literal>CATALINA_OPTS</literal> environment variable. </para> </listitem> <listitem> <para> Restart the OpenAM web container. </para> </listitem> </orderedlist> </para> </listitem> </itemizedlist> <itemizedlist> <para> OpenAM configuration has changed in several ways to accommodate the changes to the way policies are managed: </para> <listitem> <para> The Policy Configuration Service is simplified. For details see the <citetitle>Reference</citetitle> section, <link xlink:href="reference#policy-configuration" xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink" ><citetitle>Policy Configuration</citetitle></link>. </para> </listitem> <listitem> <para> OpenAM now requires policy referrals only when an application is administered across multiple realms, as can be the case when one policy agent protects multiple applications. Otherwise, OpenAM can use new settings in policy agent profiles to direct policy agent requests to the appropriate realm and application. </para> <!-- AME-5055 --> <note><para>Referrals are not shown by default in the policy editor. To enable them, in the OpenAM console, select Configuration > Global > Policy Configuration, set Activate Referrals to Enabled, and then click Save.</para></note> <para> The web and Java EE policy agent profiles includes the new settings under OpenAM Services > Policy Client Service in OpenAM console. These new settings allow you to set the realm and application for a policy agent. The settings are compatible with existing policy agents, as they are not used by the policy agents themselves, but instead by OpenAM when handling policy agent requests. </para> </listitem> </itemizedlist> <para> The fix for <link xlink:show="new" xlink:href="https://bugster.forgerock.org/jira/browse/OPENAM-3509" >OPENAM-3509</link> ensures that OpenAM considers a trailing slash as part of the resource name to match. This improves compatibility between self and subtree modes, and compatibility with older policy agents. </para> </listitem> <listitem> <para>The Device ID (Match), HMAC One-Time Password (HOTP), and Device ID (Save) modules, configured together in an authentication chain, provide the same functionality as the Device Print Authentication module that is present in OpenAM 11.x versions. </para> <para> The Device Print authentication module is only available for OpenAM 11.x versions and their upgrades. If you have upgraded from OpenAM 11.x to OpenAM 12.0 you can still use the Device Print module, customize it, and create new instances of the module or use the Device ID (Match) and Device ID (Save) modules. </para> <important><para>The Device ID (Match) profiles (that is, device fingerprints) are incompatible with profiles created from the Device Print authentication module. If the user has existing device print profiles, created from the Device Print authentication module, these old profiles will always fail to match the client's new device profiles using the scripted Device ID (Match) module even when using the same device.</para> <para>With the Device ID (Match) and Device ID (Save) modules, the user must re-save each device profile, which deletes the old 11.x profiles stored for the user.</para> </important> </listitem> <listitem> <para> Following a change to the SAML 2.0 pages in OpenAM, you no longer customize <filename>saml2login.template</filename> and <filename>saml2loginwithrelay.template</filename> to add a progress bar for single sign on. Instead, customize <filename>saml2/jsp/autosubmitaccessrights.jsp</filename> as described in the procedure, <link xlink:show="new" xlink:href="admin-guide#show-saml2-sso-login-progress" xlink:role="http://docbook.org/xlink/role/olink"><citetitle >To Indicate Progress During SSO</citetitle></link>. </para> </listitem> <listitem> <para>Changing passwords by using a PUT REST API call is no longer supported.</para> <para>Use a POST request to <literal>/json/<replaceable>subrealm</replaceable >/users/<replaceable>username</replaceable>?_action=changePassword</literal> to change a password.</para> </listitem> <listitem> <para>The response returned when submitting incorrect credentials to <literal>/json/authenticate</literal> has changed.</para> <table pgwide="1"> <title>Failed Authentication Message</title> <tgroup cols="2"> <colspec colnum="1" colwidth="1*"/> <colspec colnum="2" colwidth="1*"/> <thead> <row> <entry>OpenAM 11.0.1</entry> <entry>OpenAM 12.0.0</entry> </row> </thead> <tbody> <row> <entry> <programlisting language="javascript">{ "errorMessage": "Authentication Failed!!", "failureUrl": "https://openam.example.com:8443" }</programlisting> </entry> <entry> <programlisting language="javascript">{ "code": 401, "reason": "Unauthorized", "message": "Authentication Failed!!", "detail": { "failureUrl": "https://openam.example.com:8443" } }</programlisting> </entry> </row> </tbody> </tgroup> </table> </listitem> <listitem> <para> When running OpenAM on WebLogic 11g, you must add a WebLogic-specific descriptor file, <filename>WEB-INF/weblogic.xml</filename> to the .war before deployment. </para> </listitem> <!-- OPENAM-5263 //--> <listitem> <para> In the OpenID Connect 1.0 module you can map local user profile attributes to OpenID Connect Token claims, allowing the module to retrieve the user profile based on the ID Token. The key is the ID Token field name and value is the local user profile attribute name. The default has been changed as follows: mail=email, uid=sub. (<link xlink:show="new" xlink:href="https://bugster.forgerock.org/jira/browse/OPENAM-5263" >OPENAM-5263</link>)</para> </listitem> <listitem> <para> The class hierarchy for the <literal>ResourceName</literal> interfaces has changed. Previous implementations should be source-compatible, but will not be binary-compatible, and will need recompiling. </para> </listitem> <!-- OPENAM-5279 //--> <listitem> <para> The OAuth2 provider uses RSA as its default encryption algorithm. The default OAuth2 client agent configuration has been changed to RS256 to match the OAuth2 provider algorithm. The client agent continues to support HMAC algorithms; only the default encryption algorithm has been changed to support out-of-the-box functionality. (<link xlink:show="new" xlink:href="https://bugster.forgerock.org/jira/browse/OPENAM-5279" >OPENAM-5279</link>) </para> </listitem> <listitem> <para> The distributed authentication service (DAS) and cross-domain single sign-on (CDSSO) do not support the <literal>iPSPCookie/DProPCookie</literal> query string parameter to set a <literal>DProPCookie</literal> in the user-agent as a mechanism for cookie persistence. Neither DAS nor CDSSO retains <literal>iPSPCookie=yes</literal>. </para> </listitem> <listitem> <para>Updates to OAuth 2.0 and OpenID Connect authentication modules mean that any custom implementations of <literal>org.forgerock.openam.authentication.modules.oauth2.AccountMapper</literal> or <literal>org.forgerock.openam.authentication.modules.oauth2.AttributeMapper</literal> no longer work, and needs to be reimplemented against <literal>org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper</literal> and/or <literal>org.forgerock.openam.authentication.modules.common.mapping.AccountProvider</literal> as appropriate. </para> </listitem> <listitem> <para> The XUI, now the default for end-user pages, handles DNS/realm alias differently from the classic UI, which was the default in previous OpenAM versions. With the classic UI, the realm alias is specified both in the host name and the URI path. With the XUI, the host name alone specifies the realm. The XUI evaluates a realm specified in the path of the URL as a subrealm of the realm specified by the host name alias. </para> <para> For example, with the classic UI, you could authenticate to a realm, <literal>realm1</literal> using the DNS alias <literal>realm1.example.com:8080</literal> and the realm query parameter, <literal>realm=realm1</literal>, as follows: </para> <programlisting> http://realm1.example.com:8080/openam/UI/Login?realm=realm1 </programlisting> <para> With XUI, you do not include a realm in the URI if it has already been mapped as now any URI realm is additive and specifies a subrealm of the DNS alias realm. For example, using the following URL indicates that you are attempting to authenticate to <literal>/realm1/realm1</literal> (that is, the sub-realm, <literal>realm1</literal> under the realm, <literal>realm1</literal>). </para> <programlisting> http://realm1.example.com:8080/openam/XUI/#Login/realm1 </programlisting> <para> As another example, if you have a sub-realm called <literal>test</literal> under <literal>/realm1</literal> and make a request to: </para> <programlisting> http://realm1.example.com:8080/openam/XUI/#Login/test </programlisting> <para> The request authenticates to <literal>/realm1/test</literal>. Note also that the use of URI realm is preferred over realm as a query parameter. </para> </listitem> </itemizedlist> </section> <section xml:id="deprecated"> <title>Deprecated Functionality</title> <para>The following functionality is deprecated in OpenAM <?eval ${serverDocTargetVersion}?>, and is likely to be removed in a future release.</para> <itemizedlist> <listitem> <para> Classic (JATO-based) UI is deprecated for end user pages. OpenAM offers the JavaScript-based XUI as a replacement. Classic UI for end user pages is likely to be removed in a future release. </para> </listitem> <listitem> <para>Older REST services relying on the following endpoints are deprecated.</para> <simplelist type="vert" columns="2"> <member>/identity/attributes</member> <member>/identity/authenticate</member> <member>/identity/authorize</member> <member>/identity/create</member> <member>/identity/delete</member> <member>/identity/isTokenValid</member> <!-- Pending replacement <member>/identity/log</member> --> <member>/identity/logout</member> <member>/identity/read</member> <member>/identity/search</member> <member>/identity/update</member> <member>/ws/1/entitlement/decision</member> <member>/ws/1/entitlement/decisions</member> <member>/ws/1/entitlement/entitlement</member> <member>/ws/1/entitlement/entitlements</member> </simplelist> <para>The following table shows how legacy and newer endpoints correspond.</para> <table pgwide="1"> <title>REST Endpoints</title> <tgroup cols="2"> <colspec colnum="1" colwidth="1*"/> <colspec colnum="2" colwidth="1*"/> <thead> <row> <entry><link xlink:show="new" xlink:href="admin-guide#interface-stability" xlink:role="http://docbook.org/xlink/role/olink">Deprecated</link> URIs</entry> <entry>Newer <link xlink:show="new" xlink:href="admin-guide#interface-stability" xlink:role="http://docbook.org/xlink/role/olink">Evolving</link> URIs</entry> </row> </thead> <tbody> <row> <entry>/identity/attributes</entry> <entry>/json/users</entry> </row> <row> <entry>/identity/authenticate</entry> <entry>/json/authenticate</entry> </row> <row> <entry>/identity/authorize</entry> <entry>/json/policies?_action=evaluate, /json/policies?_evaluateTree</entry> </row> <row> <entry>/identity/create, /identity/delete, /identity/read, /identity/search, /identity/update</entry> <entry>/json/agents, /json/groups, /json/realms, /json/users</entry> </row> <row> <entry>/identity/isTokenValid</entry> <entry>/json/sessions/<replaceable>tokenId</replaceable>?_action=validate</entry> </row> <!-- <row> <entry>/identity/log</entry> <entry>Pending replacement</entry> </row> --> <row> <entry>/identity/logout</entry> <entry>/json/sessions/?_action=logout</entry> </row> <row> <entry>/ws/1/entitlement/decision, /ws/1/entitlement/decisions, /ws/1/entitlement/entitlement, /ws/1/entitlement/entitlements</entry> <entry>/json/policies?_action=evaluate, /json/policies?_evaluateTree</entry> </row> <row> <entry>N/A</entry> <entry>/json/applications</entry> </row> <row> <entry>N/A</entry> <entry>/json/applicationtypes</entry> </row> <row> <entry>N/A</entry> <entry>/json/conditiontypes</entry> </row> <row> <entry>N/A</entry> <entry>/json/dashboard</entry> </row> <row> <entry>N/A</entry> <entry>/json/decisionscombiners</entry> </row> <row> <entry>N/A</entry> <entry>/json/policies</entry> </row> <row> <entry>N/A</entry> <entry>/json/referrals</entry> </row> <row> <entry>N/A</entry> <entry>/json/serverinfo</entry> </row> <row> <entry>N/A</entry> <entry>/json/subjectattributes</entry> </row> <row> <entry>N/A</entry> <entry>/json/subjecttypes</entry> </row> <row> <entry>N/A</entry> <entry>/xacml/policies</entry> </row> </tbody> </tgroup> </table> <para>Find examples in the <citetitle>Developer Guide</citetitle> chapter <link xlink:href="dev-guide#chap-rest" xlink:role="http://docbook.org/xlink/role/olink" xlink:show="new"><citetitle>Using RESTful Web Services</citetitle></link>.</para> <para>Support for the older REST services is likely to be removed in a future release in favor of the newer REST services. Older REST services will be removed only after replacement REST services are introduced.</para> </listitem> <!-- AME-5059 //--> <listitem> <para>With the implementation of XACML 3.0 support when importing and exporting policies the following <option>ssoadm</option> commands have been replaced:</para> <table> <title>Policy Import and Export with ssoadm</title> <tgroup cols="2"> <colspec colnum="1" colwidth="1*"/> <colspec colnum="2" colwidth="1*"/> <thead> <row> <entry><link xlink:show="new" xlink:href="admin-guide#interface-stability" xlink:role="http://docbook.org/xlink/role/olink"> Deprecated</link> Command</entry> <entry>Newer <link xlink:show="new" xlink:href="admin-guide#interface-stability" xlink:role="http://docbook.org/xlink/role/olink"> Evolving</link> Command</entry> </row> </thead> <tbody> <row> <entry><literal>create-policies</literal></entry> <entry><literal>create-xacml</literal></entry> </row> <row> <entry><literal>delete-policies</literal></entry> <entry><literal>delete-xacml</literal></entry> </row> <row> <entry><literal>list-policies</literal></entry> <entry><literal>list-xacml</literal></entry> </row> <row> <entry><literal>update-policies</literal></entry> <entry><literal>create-xacml</literal></entry> </row> </tbody> </tgroup> </table> <para>For more information, see the <citetitle>OpenAM Reference</citetitle> section <link xlink:show="new" xlink:href="reference#ssoadm-1" xlink:role="http://docbook.org/xlink/role/olink"> ssoadm — configure OpenAM core services</link>.</para> </listitem> <!-- Are any of these deprecated features removed in OpenAM 12.0.0? --> <!-- START: Deprecated in OpenAM 11.0.0 --> <listitem> <para>With the implementation of OAuth 2.0 in this release, OAuth 1.0 has been deprecated. OAuth 1.0 support was originally provided in OpenAM 9.</para> </listitem> <listitem> <para>The Netscape LDAP API is to be removed from OpenAM, with OpenAM using the OpenDJ LDAP SDK instead. This affects all classes in <literal>com.sun.identity.shared.ldap.*</literal> packages.</para> </listitem> <listitem> <para>OpenAM currently uses Sun Java System Application Framework (JATO). JATO is deprecated and is likely to be replaced in a future release.</para> </listitem> <listitem> <para>With the implementation of the Persistent Cookie authentication module, the Core Authentication module persistent cookie options are deprecated and are likely to be removed in a future release.</para> </listitem> <!-- END: Deprecated in OpenAM 11.0.0 --> <listitem> <para> The OAuth 2.0 plugin interface for custom scopes, <link xlink:href="${javadocBase}?org/forgerock/openam/oauth2/provider/Scope.html" xlink:show="new"><literal>Scope</literal></link> is deprecated and likely to be removed in a future release. </para> <para> Custom OAuth 2.0 scopes plugins now implement the <link xlink:href="${javadocBase}?org/forgerock/oauth2/core/ScopeValidator.html" xlink:show="new" ><literal>ScopeValidator</literal></link> interface instead. For an example, see the <citetitle>Developer's Guide</citetitle> chapter, <link xlink:href="dev-guide#chap-oauth2-scopes" xlink:role="http://docbook.org/xlink/role/olink" xlink:show="new" ><citetitle>Customizing OAuth 2.0 Scope Handling</citetitle></link>. </para> </listitem> <listitem> <para> The OAuth 2.0 plugin interface for custom response types, <link xlink:href="${javadocBase}?org/forgerock/openam/oauth2/provider/ResponseType.html" xlink:show="new"><literal>ResponseType</literal></link> is deprecated and likely to be removed in a future release. </para> <para> Custom OAuth 2.0 response type plugins now implement the <link xlink:href="${javadocBase}?org/forgerock/oauth2/core/ResponseTypeHandler.html" xlink:show="new" ><literal>ResponseTypeHandler</literal></link> interface instead. </para> </listitem> </itemizedlist> </section> <section xml:id="removed"> <title>Removed Functionality</title> <itemizedlist> <listitem> <para> No functionality has been removed in this release. </para> </listitem> </itemizedlist> </section> </chapter> git-svn-id: https://svn.forgerock.org/openam/trunk@11949 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11946 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11942 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11941 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11935 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
16 Dec, 2014
2 commits
git-svn-id: https://svn.forgerock.org/openam/trunk@11931 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d
git-svn-id: https://svn.forgerock.org/openam/trunk@11929 0f4defcf-c51a-4c67-9f44-6fb5eba73c5d